Some payment transactions are made without a payment card, such as a debit or credit card, being read by a payment device. For example, this can happen when purchasing goods from an electronic retailer. Cardholders make these so-called Card-Not-Present (“CNP”) transactions by giving their payment credentials, such as the Primary Account Number (“PAN”), Expiration Date, and security code, to a merchant (e.g., an electronic retailer) without physically presenting the card to that merchant, as opposed to Card-Present transactions where a card is swiped, dipped, or tapped (typically by the cardholder) on a payment device to read the card data and initiate an electronic payment transaction.
CNP fraud can occur when valid credentials of a payment card are stolen from the genuine cardholder and then used by an unauthorized person to perform a payment transaction. These credentials can be stolen when computer systems (e.g., merchant accounts systems) are hacked. Theft of card credentials can also occur when unscrupulous individuals record card data while processing a payment and before returning the card to the cardholder. For example, an employee of a restaurant could write down the information printed on the plastic card of a patron while processing the payment.
Payment card companies use various security codes to combat fraud. Security codes, such as the Card Validation Code 2 (CVC2) and the Card Verification Value 2 (CVV2), were introduced by payment card companies specifically to address CNP fraud. These security codes are used as simple static passcodes to help ensure the genuine card is present at the moment of a CNP transaction. These codes can be printed on the back of a card (e.g., on the card's signature panel) but they can also be printed on the front of the card.
Although thieves are now forced to copy an additional piece of information to be able to perform fraudulent transactions, the last few years have seen ever growing levels of CNP fraud. This happened despite the attempts of most of the payment card companies to secure these security codes (e.g., by printing them on the back of the card to force thieves to copy both side of the card, by making the imprint difficult to read from a certain distance, or by forbidding merchants from storing those security codes on their systems, even temporarily).
In addition to the direct cost of fraudulent transactions, CNP fraud generate additional costs related to the management of fraud cases by issuers and merchants, and also by forcing issuers to issue new cards as a replacement for the counterfeited ones.
There already exist cards that can change their security code on a regular basis. These time-based products use a built-in electronic circuit with a real-time clock and a battery to calculate a new security code after a pre-determined length of time and show it on an electronic display embedded in the card. However, these solutions have a number of drawbacks: the real-time clock and the battery make the cards more fragile, the battery makes the card more expensive and limits its lifetime, and the time-based mechanism using the on-card clock makes it prone to de-synchronization with the server. Therefore, a need exists for a solution that allows for the security codes on cards to be changed during the lifetime of the cards that is cheaper, more robust, and more reliable than existing solutions.
The benefits of such a solution would be two-fold: first, keeping a solution based on security codes would avoid the need to change or replace the existing card payment infrastructure; second, changing the value of these security codes significantly decreases the possibility of fraudulent activity.